UCF STIG Viewer Logo

The IDPS must protect application audit and sensor event logs information from unauthorized read access.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000098-IDPS-000107 SRG-NET-000098-IDPS-000107 SRG-NET-000098-IDPS-000107_rule Medium
Description
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Audit and event log data must be protected from unauthorized access, including from legitimate administrators who are not do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment. There are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself.
STIG Date
IDPS Security Requirements Guide (SRG) 2012-03-08

Details

Check Text ( C-43238_chk )
Verify a security policy for the audit logs is in place which allows only system administrators with the proper authorization to read the audit log on the sensors and management console.
Verify a security policy for the sensor event logs is in place which allows only system administrators with the proper authorization to read the sensor log on the sensors and management console.

If audit logs are not protected from unauthorized read access, this is a finding. If event logs are not protected from unauthorized read access, this is a finding.
Fix Text (F-43238_fix)
Create and implement an access control security policy to prevent unauthorized read access of the audit logs on the management console and sensors.
Create and implement an access control security policy to prevent unauthorized read access of the sensor event logs on the management console and sensors.